top | item 43694671

(no title)

Off-topic: What is a good learning resource about TLS?

I've read the basics on Cloudflare's blog and MDN. But at my job, I encountered a need to upload a Let's encrypt public cert to the client's trusted store. Then I had to choose between Let's encrypt's root and intermediate certs, between key types RSA and ECDSA. I made it work, but it would be good to have an idea of what I'm doing. For example why root RSA key worked even though my server uses ECDSA cert. Before I added the root cert to a trusted store, clients used to add fullchain.pem from the server and it worked too — why?

discuss

ivanr|10 months ago

I have a bunch of useful resources, most of which are free:

- If you're looking for a concise (yet complete) guide: https://www.feistyduck.com/library/bulletproof-tls-guide/

- OpenSSL Cookbook is a free ebook: https://www.feistyduck.com/library/openssl-cookbook/

- SSL/TLS and PKI history: https://www.feistyduck.com/ssl-tls-and-pki-history/

- Newsletter: https://www.feistyduck.com/newsletter/

- If you're looking for something comprehensive and longer, try my book Bulletproof TLS and PKI: https://www.feistyduck.com/books/bulletproof-tls-and-pki/

unknown|10 months ago

[deleted]

dextercd|10 months ago

I learned a lot from TLS Mastery by Michael W. Lucas.

throwaway96751|10 months ago

Thanks, looks exactly like what I wanted

bbkane|10 months ago

I wrote a list of resources that helped me at https://www.bbkane.com/blog/learn-ssl/

hi41|10 months ago

Thx. For one API in my company, there is only root and intermediate certificates are present in the jks file but the leaf certificate is not. Would encryption work without a leaf certificate?

In another instance to connect to a server, only the root certificate is present in the trust store. Does it mean encryption can be performed with just the root certificate.

throwaway96751|10 months ago

> SSL is one of those weird niche subjects that no one learns until they run into a problem

Yep, that me.

Thanks for the blog post!

unknown|10 months ago

[deleted]

unknown|10 months ago

[deleted]

physicles|10 months ago

Use ECDSA if you can, since it reduces the size of the handshake on the wire (keys are smaller). Don’t bake in intermediate certs unless you have a very good reason.

No idea why the RSA key worked even though the server used RSA — maybe check into the recent cross-signing shenanigans that Let’s Encrypt had to pull to extend support for very old Android versions.

throwaway96751|10 months ago

I've been reading a little since then, and I think it worked with RSA root cert because this cert was a trust anchor of the Chain of Trust of my server's ECDSA certificate.

unknown|10 months ago

[deleted]

pizzafeelsright|10 months ago

Curious why you wouldn't have a Q and A with AI?

If the information is relatively unchanged and the details well documented why not ask questions to fill in the gaps?

The Socratic method has been the best learning tool for me and I'm doubling my understanding with the LLMs.

throwaway96751|10 months ago

I think this method works best when you can verify the answer. So it has to be either a specific type of question (a request to generate code, which you can then run and test), or you have to know enough about the subject to be able to spot mistakes.